April 28, 2015 by Angela Stelmakowich, Editor
NEW ORLEANS, La. – A focus on the “here and now” could prove disruptive to the organizational strategies of companies, at least on the short-term horizon, perhaps highlighting the importance of aligning strategy and what risk management is being asked to do, suggests a new report released Monday at the RIMS 2015 Annual Conference & Exhibition in New Orleans.
The 12th Annual Excellent in Risk Management Survey, conducted jointly by Marsh and RIMS, was released during a press release at the conference. The latest edition of the annual review is based on 300-plus responses to an online survey and a series of focus groups with risk executives.
Many of the risk executives in the focus groups said that they are being asked to do things on risk that might be disruptive to the strategies of their organizations, Carol Fox, director of the strategic and enterprise risk practice at RIMS and a co-author of the report, told reporters during a press conference.
When you start looking at the strategic effect of risk, Fox said, “we’re seeing a bit of a trend where risk management is being asked to look more at not just identifying those risks, but how effective are they in planning for those emerging risks over the planning horizon, which might be three to five years.”
The report found that critical risk management functions continue to advance and their overall influence grow within organizations — a trend that is likely to continue given the complexity of the global business environment.
Despite that positive, though, more can be done to improve the risk management department’s strategic effectiveness, notes a joint statement from RIMS, the risk management society, and Marsh, a global provider of insurance broking and risk management services.
“For the first time, the Excellence Survey sought to better understand how organizational alignment affects the execution of a risk management strategy,” the statement notes.
“Successful risk executives strive to ensure that they and their organizations have a clear point of view about risk management priorities, how those priorities may change, and where organizational gaps in alignment exist,” states the report. “To execute on these elements, they need to understand how the decisions regarding risk management investments, structure, communications and measurement impact their growing strategic role,” it adds.
Still, lack of alignment was also an issue with regard to emerging risks, although that could represent an opportunity for risk professionals.
Just 27% of risk professionals polled reported that identifying emerging risks would be a priority in the coming year. This is at odds with “the message being heard from boards that they are more concerned about ‘what’s around the corner.’ For example, could geopolitical events introduce volatility into strategic plans? Or what impact might climate change or water scarcity have on operations or expansion decisions?” the report notes. [click image below to enlarge]
“Although we found generally effective alignment on the noted priorities, members of the discussion groups agreed that a focus on the ‘here and now’ is the predominant guiding principle and that more needs to be done to understand emerging risks,” the report adds.
“Many of the risk executives that we talked with in the focus groups said that the focus of most of their organizations was on the here and now, and that there’s a growing concern that their Boards of Directors and executives may be overly concentrating on things like the regulatory disclosure requirements and compliance, which tend to be retrospective views versus emerging risks and how those issues can impact their organizations, which is a much more prospective view,” Elowe told reporters.
“Alignment with other, more strategic functions is generally higher (nearly double in some cases) when risk management reports into somewhere other than finance. This is most notable in the areas of ERM (enterprise risk management), compliance, IT risk management, privacy and security,” states the report.
“Our finding reflected a difference between those risk management departments reporting to the CFO/treasurer and those reporting elsewhere,” the report notes. “For example, 27% of those who report into the CFO/treasure expect an increase in spending for training risk management staff, whereas 46% – nearly double – of those reporting elsewhere expect an increase,” it points out.
Brian Elowe, a managing director at Marsh and co-author of the report, told reporters that 50% of risk executives fundamentally report into the finance area. “Finance executives certainly have an opportunity to facilitate greater organizational connections for the risk management departments that report to them in order to position them for broader impact across the enterprise,” Elowe notes in the joint statement.
One risk management director suggested in the report that it would be best to focus on strategic alignment rather than on function alignment.
There are some areas where alignment is better. The survey looked at the functions either reporting directly, or a dotted line, into risk management, Elowe told reporters.
“Obviously the traditional functions of insurance and claims management were well-aligned, and we saw a very significant growing alignment in the area of IT,” he said. “I think that is an outcome, if you will, of the growing cyber risk and the need for organizations to have more of a multi-disciplinary approach to how cyber is affecting their organizations.”
The report considers how risk management stacks up against some key pillars of successful execution of any organizational strategy or initiative, namely priority setting, organizational structure and performance measurement standards.
“Companies are requiring a ‘risk perspective’ as they develop business strategy, and risk management executives are uniquely positioned to provide the bigger picture around risk. In so doing, they can bridge the gaps between their boards’ view of risk and the way managers at the operational level see risk,” it argues.
The risk management areas that respondents reported will be a priority – respondents could choose three from the list – for their respective organizations over the next 12 months are as follows:
• cyber security, 43%;
• identifying and improving risk management best practices, 36%;
• risk training and awareness, 33%;
• insurance program optimization, 31%;
s management, 27%;
• identifying emerging risks facing the organization, 27%;
• analytics to support strategic decisions, 23%;
• managing specific (or a set of) ongoing organizational risk(s), 19%;
• using risk management practices to improve strategy execution, 19%;
• risk management staffing levels, 17%; and
• supply chain vulnerabilities, 12%.
Other findings from the survey include the following:
• the majority of risk professionals categorized state collapse, climate change and water crisis – among the top global risks in this year’s World Economic Forum Global Risks 2015 report in terms of their likeliness to happen and their potential impact over the next 10 years – as risks that are not of immediate concern;
• only 44% of respondents said senior management was aligned regarding the analytics required to make key risk decisions – less than for any other area asked about;
• just 23% of respondents said analytics to support strategic decisions will be a priority for their organizations in the coming 12 months;
• 82% of respondents reported they have conducted assessments to determine their vulnerability to cyber attacks and IT outages, but less than 40% said they have modelled potential losses; and
• just over 70% of respondents noted no interaction with their organization’s supply chain.
Speaking to the last point, Elowe told reporters: “When we look at that relative to things like the Japanese tsunami situation a few years ago and other major elements that affected supply chains of organizations and created a lot of organizational disruption, if you will, to business flow, we find that that is really an outlier out there that probably requires some greater connections inside organizations.”
The survey findings “certainly suggest that more can be done to elevate discussions around emerging risk issues within organizations, with an eye toward potential long-term operational and/or financial consequences,” Fox says in the joint statement.
“Aligning stakeholders in an ever-changing environment can be a challenge. Many current measurement methodologies fail to uncover the value that risk executives bring to their organization,” the report states.
“Nonetheless, the critical risk management functions continue to advance and their overall influence grows. Given the complexity of the global business environment, this dynamic is unlikely to slow any time soon,” the survey adds.
“The good news is senior leadership more than ever is relying on risk management to provide strategic input around business strategy, so there is a real opportunity for risk professionals to lead discussions in this area,” says Fox.
The report includes a number of recommendations, including the following:
• develop strategies to increase alignment regarding risk and risk management across the organization;
• work within the organization and through networking outside the organization to explore performance measurements that more closely reflect the risk management function’s strategic value; and
• build a broader framework around cyber risk that identifies intellectual property assets as well as data at risk, models potential circumstances and consequences, and involves all areas in response planning that may have responsibilities before, during or after an event.
More coverage of the RIMS 2015 Annual Conference & Exhibition